I ask this on every supply chain security fail: Can we please mandate signing packages? Or at least commits?

NPM rejected PRs to support optional signing multiple times more than a decade ago now, and this choice has not aged well.

Anyone that cannot take 5 minutes to set up commit signing with a $40 usb smartcard to prevent impersonation has absolutely no business writing widely depended upon FOSS software.

Normalized negligence is still negligence.

▲

4ndrewl 2 hours ago | parent [-]

Is the onus really on people who write code here? It really should be on those who choose to use this unsigned code, surely?

▲

lrvick an hour ago | parent | next [-]

Anyone that maintains code for others to consume has a basic obligation to do the bare minimum to make sure their reputations are not hijacked by bad actors.

Just sign commits and reviews. It is so easy to stop these attacks that not doing so is like a doctor that refuses to wash their hands between patients.

If you are not going to wash your hands do not be a doctor.

If you are not going to sign your code do not be a FOSS maintainer.

▲

lorenzohess 2 hours ago | parent | prev [-]

Perhaps, but if it's gotten to the point where millions of people download the unsigned code, signing should probably become required. Even reproducible builds.

▲

4ndrewl an hour ago | parent [-]

Required by who though? If your business etc depends upon some code, it's up to you to ensure its quality, surely? You copy some code onto your machine then it's your codebase, right?

	▲	lrvick an hour ago \| parent [-]
		While I think anyone unwilling to sign their code is negligent, I also feel anyone unwilling to ensure credible review of code has been done before pushing it to production is equally negligent.